The solution of the problem of it appears SQL accessing reports fault when we use USG5300 firewall

Publication Date: 2012-09-22Views: 3Downloads: 0

Issue Description

Betweet the server group and user areas ,we use the USG5320 firewall to protect the servers.User can connect SQL database by firewall,but when it is transmiting data after the connection opening for a while ,it will appear the problem of slow accessing or reporting fault of changing the application data service .

Alarm Information

None.

Handling Process

Matching need hold the data of session for long time
Such as :
acl number 3998
rule 0 permit tcp destination-port eq sqlnet
rule 5 permit ip source 192.168.1.100 0
opening the function of long connection on the direction of data sending
firewall interzone trust untrust
firewall long-link 3998 inbound
firewall long-link 3998 outbound
After matching long connection ,the session will be saved 7*24 hours .If there has data to get pass the session in this time ,the time of session will be turned 7*24 hours again.

Root Cause

After the analysis of packet capturing and checking the particular information of firewall session at sight .
The result of analysis as follows :
The firewall default keeping time to the SQL connection session is 600 seconds,if the session don’t accept new data launching ,the session will be deleted.Though firewall session has been cleaned up ,user application cannot feel it .If user use the connection to send data ,the firewall wii create new session because the old isn’t exist,user will feel the hold-off time is too long .If the application has some repuest to the data sending hold-off time ,it will lead the application turns to error.
A majority of our firewall the default keeping time is 600 seconds ,so it need to modify.

Suggestions

It suggesting we should get know the application requirement of user before actualize it ,especially the application of database.It need to notice the long connection will be saved for long, it will affect the performance of firewall if the matching long connection is too much, so it need ensure matching session accurately.